- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 12 Apr 2010 15:10:04 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Arthur Barstow <art.barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Apr 12, 2010 at 1:00 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > On Apr 12, 2010, at 10:33 AM, Tyler Close wrote: > >> On Mon, Apr 12, 2010 at 6:49 AM, Arthur Barstow <art.barstow@nokia.com> >> wrote: >>> >>> Maciej, Tyler - thanks for continuing this discussion. I think it would >>> be >>> helpful to have consensus on what we mean by subsetting in this context. >>> (Perhaps the agreed definition could be added to the CORS and UMP >>> Comparison >>> [1].) >> >> I've added a new section to the wiki page, "UMP as subset of CORS": >> >> >> http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP#UMP_as_subset_of_CORS >> > > I do not think the set of subset criteria posted there matches what I > proposed and what we've been discussing in this thread. I intended criteria #3 to correspond to conditions A1+B2 in our last email exchange, which covers an UMP API to CORS resource message exchange. The last unnumbered criteria corresponds to conditions A2+B1 in our last email exchange, which covers a CORS API to UMP resource message exchange. Criteria #1 and #2 correspond to the additional safety aspects of condition C that you wanted explicitly stated. What aspect of the subset criteria have I missed? > Should I put some > abbreviated form of my proposal in the wiki? I am not sure what the > conventions are for editing this wiki page. > > I think the points you make on the wiki about cross-endangerment are good, > but they are not really subset criteria, that's a property we want for any > two Web platform features, and it could be achieved with a strategy of > making things completely different instead of the subset strategy. They do > represent relations that we should maintain however. I included these because our last email exchange indicated to me that you wanted them explicitly stated. > I think even taken together, your set of subset conditions does guarantee > that a CORS client implementation is automatically also a UMP client > implementation. If we went that way, then we would have to consider whether > there will ever be client implementors of UMP itself, or it will be > impossible to fulfill CR exit criteria. If there are implementers of CORS, then by definition, there are implementers of UMP. I don't see anything in CR exit criteria that requires implementers to swear not to also implement other specifications. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 12 April 2010 22:10:37 UTC